Risk Update

Event Report — Risk and Compliance Conference Highlights (AML & InfoSec)

Posted Dan Bressler

Law Society Risk and Compliance Conference” —

AML:

  • “Anti-money laundering (AML) compliance is a ‘messy and complicated area’, Amasis Saba, chair of the Law Society’s money laundering taskforce, told the conference. He added: ‘But nonetheless, the government has said it will not relax its efforts to identify and penalise those firms that are not on top of it.’”
  • “Colette Best, the SRA’s director of AML, endorsed Saba’s comment about the area’s complexity. ‘The biggest challenge,’ she said, ‘is the pace of change. There were new regulations in 2017 and then again in 2019. And now a 212-page newly revised and updated guidance was published in January 2021. It’s difficult to keep up.’”
  • “Saba turned his attention to what every firm must have in place: written risk assessments. ‘You must show what you, the firm, have actually done. It is not a generic, tick-box process. Consultants can be useful, but you need to own what you have done.’”
  • “Risk assessments should be both firm-wide and related to specific matters, he continued. Everyone should be involved, including fee-earners and anyone else who has access to the files. ‘We should also all be asking ourselves whether there are factors that make any particular transaction more complex than usual or different. Does what the client tells you make sense? What precisely did the client do to earn all this money?”

Information Security & Cyber:

  • “The Pentagon, with the resources to invest in state-of-the art cybersecurity, is not the only high-profile victim. US law firm Jones Day, which numbers former president Donald Trump among its clients, also had data compromised. ‘The vulnerability in this instance was that older systems were buried in modern updates,’ explained Wright, ‘which highlights the dangers of hanging on to legacy technology.’”
  • “What can you do to minimise the risk to your firm? Fleming urged you to test your defence systems with ‘simulated attacks’ launched by yourself against yourself. ‘Fraudsters typically try to tempt you with offers that, upon reflection, are too good to be true. They also try to make you panic and act recklessly out of fear of being prosecuted or missing out on an opportunity. Teach colleagues to recognise such scams or simply to pick up the phone and check that the email they’ve just received is genuinely from an established client or somebody else they think they can trust.’”
  • “Working from home has its own hazards. ‘Even automated vacuum cleaners can be hacked,’ said Wright, ‘as can smart fridges, lights and speakers. On top of this, of course, a colleague’s personal laptop probably won’t offer the same level of protection as the office’s system of firewalls and alerts. Best practice would be to get an expert to go to colleagues’ homes and verify the protective measures in place.’”